Email snooping IT admins like 'Dracula in charge of the blood bank'

Ben Grubb

About 40 per cent of IT administrators go snooping through emails of employees, particularly those of high-level executives, claims the chief executive of a firm that manages the IT security of various Australian companies and government agencies.

A company's IT admins have access to virtually every document company-wide - including executive files, payroll information and medical data - and many "can't help themselves" in gaining access to emails, says Carlo Minassian, founder and CEO of Earthwave, the North Sydney-based firm that is hired by organisations looking to outsource their IT security.

Mr Minassian, who also often hunts down people who are breaching IT policy within an organisation, says leaving IT admins unsupervised is like putting "Dracula in charge of the blood bank".

He said IT administrators snooping on email happened "regularly", went "unnoticed" in most instances, and added that it would continue to go unnoticed unless an IT admin had something to prove. Only when they get caught do police get involved.

"We know that 40 per cent of IT email administrators and IT managers look inside their manager's, their board's, their chief information officer's, and chief executive officer's emails regularly and read their email," Mr Minassian said in an interview at his office during a demonstration of what his firm does in Australia.

"So we catch people doing that [where] it's not the person that that email belongs to and so we alert the owner of the business or the security manager or whoever has contracted us."

Advertisement

His claim of 40 per cent of IT administrators snooping on employees did not surprise James Turner, an IT security industry analyst at the Australian firm IBRS.

"Do I think that IT staff take advantage of their privileges from time to time? Not all of them do but I think it absolutely does happen and this is why [companies should] have checks and balances," Mr Turner said.

He said he would be "fascinated" to see the data behind the 40 per cent statistic.

"If that's something that they've gathered from their own internal clients then that's an intriguing statistic."

He added that most companies expected IT to be able to break in to an employee's email because a manager might need to be able to access a critical staff member's email when that staff member was not available but said giving them that capability meant it was "entirely possible and plausible" for them to go snooping.

"If you need them to be able to do that and they've got the capability to be able to do that then what are the chances that if they are feeling a little bit uncertain about the future of the company or they've got a personal issue going on that they might take advantage of it? It's entirely possible and plausible," Mr Turner said.

One IT administrator Fairfax Media spoke to who did not wish to be named said IT administrators had access to virtually every piece information company-wide - not just emails.

"From executive files, payroll information, medical information and other databases, IT administrators need to be able to access that information to set permissions for other users," they said.

"Without being able to access that information you wouldn't be able to give other users access and would lock yourself out.

"Whether the IT administrator's morals are up to standards or whether they are going to use that information for personal gain is different matter."

IT snooping on emails 'common'

Earthwave's Mr Minassian said IT administrators breaking in to a manager's email without authorisation was a "very common occurrence because it's so accessible and so easy for [IT administrators] to cover their tracks because they can delete logs and they log-in as administrator and there are no logs."

He said IT administrators "can't help themselves" as soon as they have control and authority over IT assets.

"There's a saying: 'Don't make Dracula in charge of the blood bank'," he said.

The same applied in the IT world. "It's about watching the doers."

He recalled a recent example his company was contracted to look at where three IT administrators in a small Canberra-based government agency were snooping on management's email communications for months.

"[The government agency] didn't know who it was," Mr Minassian said of the incident which his firm was tasked to investigate about six months ago. "[The IT administrators] would regularly take data from internal board communications and management communications - including staff pay - [and] use Gmail and Hotmail accounts to email it to the entire staff," he said.

Some of the emails included information on what management were saying about each other and certain staff and other things that were happening within the organisation "that staff should not be exposed to", he said.

He said Earthwave was contracted to look into the incident after one of the agency's C-level executives contacted it to ask for assistance on why certain emails were leaking from meetings. After being in contact with the executive, Earthwave then installed an appliance on the network to sniff out the bad guys.

"So we put that in and found out everything," Mr Minassian said, adding that police got involved and it resulted in the employees being dismissed.